The DPA is the competent authority for the DP Law's enforcement. It is authorized and obliged to monitor implementation of the DP Law, both ex officio, and upon a third-party complaint.

When monitoring the DP Law's implementation, the DPA is authorized to pass the following decisions:

• Order removal of the existing irregularities within certain period of time;
• Temporarily ban the processing of personal data which is carried out in violation of the DP Law;
• Order deletion of unlawfully collected data;
• Ban transfer of data outside of Montenegro or its disclosure to data recipients carried out in violation of the DP Law;
• Ban data processing by an outsourced data processor if it does not fulfil the data protection requirements or if its engagement as a data processor is carried out in contravention to the DP Law.

The DPA's decisions may not be appealed, but an administrative dispute before the competent court may be initiated against the same.

The DPA may also file a request for the initiation of offence proceeding before a competent Montenegrin court. The offenses and sanctions are explicitly prescribed by the DP Law, which includes monetary fines ranging from €500 to €20,000 for a legal entity and ranging from €150 to €2,000 for a responsible person in a legal entity.

There exists potential criminal liability. The unauthorized collection and use of personal data is a criminal offense under the Montenegrin Criminal Code, punishable with a fine (in an amount to be determined by the court) or imprisonment up to one year (i.e. up to three years if committed by a public official / state servant when performing his duties). Both natural persons and legal entities can be subject to criminal liability.